Back
Technology

Security Researchers Reveal Permanent BootROM Vulnerability in Apple A12 and A13 Chips

Generated on: Last updated: 2 sources
View source

"A hardware-level vulnerability in the SecureROM of Apple's A12 and A13 chips cannot be patched by software."

Security research firm Paradigm Shift has disclosed a hardware-level vulnerability in the SecureROM of Apple's A12 and A13 system-on-chips (SoCs), along with a proof-of-concept exploit named "usbliter8." The vulnerability, which cannot be patched via software updates, allows an attacker with physical possession of a device to achieve arbitrary code execution during the device's startup sequence.

Vulnerability Details

Technical Origin

The exploit targets a flaw in the Synopsys DWC2 USB controller, specifically in its Direct Memory Access (DMA) buffer handling. A mismatch between the write pointer update and the actual bytes written creates a buffer underflow condition, allowing the write pointer to step backwards through memory.

Chip-Specific Behavior

  • A12 Chips: The DMA buffer is adjacent to the USB task's stack. Overwriting a saved link register provides attacker program counter control upon context switch.
  • A13 Chips: Pointer Authentication Codes (PAC) protect stack return addresses. The bypass involves corrupting Input-Output Memory Management Unit (IOMMU, also known as DART) heap structures to create write primitives, overwriting the panic depth counter to prevent reboots, and ultimately overwriting the USB interrupt handler pointer in BSS. A subsequent USB interrupt runs attacker-supplied code at Exception Level 1 (EL1) within SecureROM.

Unaffected Chips

  • A11: Not affected because its USB driver resets the DMA address after each packet.
  • A14 and later: Not affected because these chips configure the USB DART correctly, preventing the underflow from being exploited.

Affected Devices

SoCs

  • A12, A13, S4, S5
  • A12X and A12Z are theoretically supported but not implemented in the public proof-of-concept.

Device Families

Chip Devices A12 iPhone XS, XS Max, XR; iPad Air (3rd gen), iPad mini (5th gen), iPad (8th gen) A13 iPhone 11, 11 Pro, 11 Pro Max, iPhone SE (2nd gen) S4 / S5 Apple Watch Series 4, 5; Apple Watch SE (1st gen); HomePod mini

Exploit Requirements and Process

Access Requirements

  • Physical possession of the device
  • Device must be in DFU (Device Firmware Update) mode
  • Connection via USB to a dedicated RP2350-based microcontroller board
  • The exploit completes in under two seconds before Apple's signed boot chain loads.

Post-Exploitation Capabilities

  • Inject a custom USB request handler
  • Stamps "PWND:[usbliter8]" into the device's USB serial string
  • Temporarily demote the SoC's production mode
  • Boot a raw, unsigned iBoot image without signature checks
  • Alter device security settings

Limitations

  • The vulnerability does not directly affect the Secure Enclave, though it could serve as an avenue for further attacks.

Disclosure and Mitigation

Disclosure Process

Paradigm Shift reported the findings to Apple Product Security and coordinated disclosure. The full proof-of-concept code has been published on their website (ps.tc).

Permanence

Because the flaw exists in SecureROM, which is burned into silicon during manufacturing, no software update can patch it. This characteristic resembles the checkm8 exploit disclosed in 2019.

Risk Assessment

  • As of June 19, 2026: No CVE, CVSS score, Apple security advisory, or CISA alert had been issued.
  • No in-the-wild exploitation had been publicly reported.
  • Practical risk is low for most users due to the requirement of physical access and specialized hardware.
  • High-security environments are advised to treat affected hardware as permanently compromised and prioritize equipment refreshes to A14 or newer chips.